Skip to main content

Ping Identity

Learn how to configure Ping Identity as an identity provider (IdP) to work with Pomerium.

note

While we do our best to keep our documentation up to date, changes to third-party systems are outside of our control. Refer to Adding an application from Ping's documentation as needed, or let us know if we need to update this page.

Before you start

To complete this guide:

Configure PingOne

After creating a PingOne account and signing in, you'll be directed to the PingOne console.

Create an OIDC web app

In the PingOne console:

  1. From the Applications sidebar menu, select Applications and create a new application (+).
  2. Enter an Application Name and an optional description or logo.
  3. Select OIDC web app and Save.

Create a new OIDC web app in the PingOne console

Configure the OIDC web app

To configure your OIDC web app:

  1. Select the Configuration tab, then select the edit icon.
  2. In the Redirect URIs field, enter your authenticate service URL with the /oauth2/callback path appended to it.
  3. Select Save.

Entering the Pomerium authenticate service URL with the oauth2 callback path in PingOne console

Next, configure attribute mappings:

  1. Select the Attribute Mappings tab, then select the edit icon.
  2. Select +Add.
  3. In the Attributes field, enter email.
  4. In the PingOne Mappings dropdown menu, select Email Address.
  5. Select Save.

Entering attribute mappings in PingOne

Enable the OIDC web app with the toggle button:

Enable the OIDC web app in the Ping console

Save the following details from the Configuration tab (you need these to configure Pomerium):

  • Client ID
  • Client Secret
  • Issuer URL

Configure Pomerium

Update your Pomerium configuration to use Ping as the IdP:

Configuring PingOne as and IdP in Pomerium Zero

Configure Groups

Custom Claim (Zero, Core)

A groups claim can be added to tokens returned from Ping by adding the claim to the "Attribute Mappings":

Ping Attribute Mappings

Now, when a user signs in their token will include a custom groups claim that contains groups they are a member of. You can use the claim PPL criterion in your authorization policy:

allow:
and:
- claim/groups: 49dfb9e6-f81f-4a1c-b4a3-d0122ebe4aab
note

The groups claim contains group IDs, not group names.